Site-to-Site and Remote VPN

daniel.kline · ‎02-03-2003

I am preparing to configure a couple of PIX 515E firewalls to establish a LAN-to-LAN (site-to-site) VPN. Each of these firewalls must also support remote Cisco 3.X vpn client connectivity. Among my questions is: will the "isakmp identity key" command work for both remote (dynamic address) users as well as the site-to-site (static address) connections? And with the vpngroup configuration commands, do I still require "isakmp client configuration address-pool local..."? I have included the FW configs below for any additional comments or suggestions:

! PA VPN Configuration

!

isakmp enable outside

sysopt connection permit-ipsec

!

crypto ipsec transform-set btrans esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set btrans

crypto dynamic-map dynmap 10 match address b2remote

!

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0

!

access-list b2v permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list b2v permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

!

access-list b2remote permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0

access-list b2remote permit ip 192.168.210.0 255.255.255.0 192.168.1.0 255.255.255.0

!

! Use crypto-map sequence 10 for PIX to PIX

!

crypto map bc 10 ipsec-isakmp

crypto map bc 10 match address b2v

crypto map bc 10 set peer xx.xx.24.161

crypto map bc 10 set transform-set btrans

!

! Use crypto-map sequence 50 for PIX to VPN Client

!

crypto map bc 50 ipsec-isakmp dynamic dynmap

!

crypto map bc interface outside

!

nat (inside) 0 access-list nonat

!

isakmp key ************ address xx.xx.24.161 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******* address 0.0.0.0 netmask 0.0.0.0

!

isakmp identity address

!

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 43200

!

!--- IPSec group configuration for VPN Client

!

vpngroup remote address-pool ippool

vpngroup remote dns-server 192.168.1.x

vpngroup remote wins-server 192.168.1.x

vpngroup remote default-domain **.com

vpngroup remote idle-time 1800

vpngroup remote password **********

!

ip local pool ippool 192.168.210.0 - 192.168.210.254

**********************************************************************************

! NJ VPN Configuration

!

isakmp enable outside

sysopt connection permit-ipsec

!

crypto ipsec transform-set vtrans esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set vtrans

crypto dynamic-map dynmap 30 match address v2remote

!

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.211.0 255.255.255.0

!

access-list v2b permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list v2b permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list v2b permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list v2b permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0

!

access-list v2remote permit ip 192.168.100.0 255.255.255.0 192.168.211.0 255.255.255.0

access-list v2remote permit ip 192.168.211.0 255.255.255.0 192.168.100.0 255.255.255.0

!

! Use crypto-map sequence 10 for PIX to PIX

!

crypto map vnj 10 ipsec-isakmp

crypto map vnj 10 match address v2b

crypto map vnj 10 set peer xx.xx.36.118

crypto map vnj 10 set transform-set vtrans

!

! Use crypto-map sequence 50 for PIX to VPN Client

!

crypto map vnj 50 ipsec-isakmp dynamic dynmap

!

crypto map vnj interface outside

!